Responder Policy not working with content switch using Proxy Protocol

David Boxall

I am having issues getting a reponder policy to work when asigned to my content switch vServer ( Its acting as a proxy so using the proxy protocol type ).  I am trying to deny certain traffic using a reponder policy to drop the request.




I am getting zero hits on the policy where am i going wrong ? it seems like the Content Switch ( Proxy ) is ignoring the policy. 





First off are user requests actually going to http://demo.domain.com/example<stuff> or /Example

As the startswith operator as listed above is case-sensitive unless you change the expression to http.req.url.path_and_query.set_text_mode(ignorecase).starts...


Is the responder feature enabled. 


But the real issue may be in fact because you are using the PROXY protocol vserver type, the ADC may be unable to parse the HTTP request as it is treating it as L4 TCP traffic.

As a test, I would see if you kept the policy as is but bound it to an HTTP or SSL vserver and it works but does nothing on the PROXY vserver, then the problem is the lack of visibility into the HTTP elements and you would need to break it down from a TCP standpoint instead.


Then, look to see if you are getting UNDEF result hits on the responder policy; you may need to set a custom action to see this as the default is NOOP which means don't do responder.


Here's some info on proxy:  https://support.citrix.com/article/CTX224265


Going back to basics: does the OP's vserver actually NEED to be of type proxy? A veserver of type proxy is used for very specific purposes. If it's really just an HTTP vserver (and yes, the way Netscaler / Citrix ADC works, the vserver always acts as a proxy), then HTTP would work just fine.... and that would allow the rewrite to work ok.

